If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: [script] for AV evasion

First off, great script. (BTW if anyone here has any perl coding skills, I'm writing an ASM ghostwriting automation tool in perl. Any help would be appreciated. that should help to make FUD paylaods.)
Second off I get this errror on part two. Also, I'm not entirely sure how to integrate part two into a pentest. All this does is set up the site and java so that when a user browses to my ip from a spoofed DNS response he will be pwned?
[*] Stripping out the debugging symbols...[*] Moving trojan horse to web root...
**************************************
1) apache server
2) java applet attack
3) create evil PDF
**************************************
Select an attack (1-n):2
Traceback (most recent call last):
File "./crypter.py", line 137, in <module>
subprocess.Popen(args=["gnome-terminal", "--command=sh /opt/metasploit/msf3/javaAttack.sh"]).pid
File "/usr/lib/python2.6/subprocess.py", line 633, in __init__
errread, errwrite)
File "/usr/lib/python2.6/subprocess.py", line 1139, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or director

I've been getting this output and trying to debug, but so far I have no idea whatt's causing it. Do you?

You right part 2 isn't really useful in a pentest. I don't do this as a job. It's just a hobby so I didn't really think about that.

As for your error, did you set execution permission for javaAttack.sh and is it in your metasploit directory ?
If you did and it still isn't working maybe changing

will work.
This is a strange error and you are the first one to have it.

I don't think I will able to help with your ghostwriting tool as I don't know so much about asm and I haven't really done much in perl before.
I'm kind of trying to learn more asm cause I find you need it a lot.

To make my script FUD again I thought to write a c++ program that would call a process in suspend mode and then write the shellcode to the process and resume the process. This is kind of a known method to AV's so I would need to obfuscate my API calls.

I also think that encrypting your shellcode on disk and decrypting it in memory is not good enough anymore. AV sandboxes really step step per step trough your program until they find something. Ghostwriting asm is probably the best option.

Re: [script] for AV evasion

So I read that paper, and it was pretty awesome. If you can use that in your script it would be pretty cool. A couple things. 1) Allow for just compiling and placing of the trojan in root. Do not force the listener to be started. In a pentest with phishing, it is annoying to have to cancel the listener every time, instead of continuing down the custom payload path with your executable.

2) when I finally finish my ASM GW script, allowing for default payload obfuscation, integration into your script would be very cool. Do not let this stop you from writing your own, I have several py ghostwriting scripts I can give you to help you get started.

3) My javaAttack.sh is obviously both executable and found in the dir, but even when I change your line to the suggested one it fails with the same error.

Re: [script] for AV evasion

1)I tested the method of connecting to 127.0.0.1:445 to check that your malware is running in a sandbox or not and it worked on avira and some other av's. Altough it doesn't bypass all of them. I know av's don't like socket API's so maybe I'll try to hide them. I'll post the code for this tomorrow. I will allow for just compiling and placing the exe in /root in the next version of the script.

2)Yes it would be really cool to integrate the scripts. Also I would really appreciate it if you would share one of your py GW scripts. I think I could learn a lot from them.

3) Tomorrow I'll take a deeper look at the error. I'll finally have some time to work on the script

4)I'll look into it. Altough I don't really like to use c# for this. You would always need a windows machine to compile.

5)I'll try some different methods and see wich one is the best.

6)I'll also check it tommorow.

Last edited by LHYX1; 07-13-2012 at 05:47 AM.

(\ /)
( . .)
c(")(")

This is bunny.
Copy and paste bunny into your signature to help him gain world domination.

This is one technique, albeit not the one I am using for my perl script. I'll ask the author of the second one for permission to post and if he says yes I will. I look forward to the next version of your script. Edit the first psot and provide a link in the next post as well.

World Domination is such an ugly phrase. I prefer the term World Optimization.

Re: [script] for AV evasion

nice tool , ive modified loop values to 105000 but yet it is detected by kaspersky , avira , f-secure , bitdefender please have a look to update it so it may bypass all of them. I would say to make it dynamic ghostwriting .

Re: [script] for AV evasion

As I've been working on ASM ghostwriting for the past many months, I can tell you this with some authority. To do anything more complicated than xor or static string replacement is *HARD*. THis is not something that'll happen overnight.

World Domination is such an ugly phrase. I prefer the term World Optimization.

Re: [script] for AV evasion

Thanks for your prompt response. @Shadow and @LHYX1 could you guys please help me out what do I need to change to avoid this detection since it is scantime based not runtime based encryption. @LHYX1 Ive edited your script structure.c to fulfill my need.

Please share you valuable thoughts and do let me know some guide or something where I can learn more. If possible let me know if possible to make changes to current script. I have not make any changes to cyrpter.py .